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DETAILED ACTION 

1. This action is responsive to the amendment received on 7/25/05. Claims 1,12, 
and 21 have been amended. Claims 50-77 have been newly added. Claims 22-49 
were previously withdrawn due to non-election. Accordingly, claims 1-21 and 50-77 are 
presented for examination. 

Information Disclosure Statement 

2. The information disclosure statement (IDS) submitted on 7/25/05 is in 
compliance with the provisions of 37 CFR 1 .97, Accordingly, the information disclosure 
statement is being considered by the examiner. 

Response to Arguments 

3. Applicant's arguments with respect to the claims have been considered but are 
moot in view of the new ground(s) of rejection. 



Claim Rejections - 35 USC § 103 

4. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 1 02 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 
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5. Claims 1-21 and 50-77 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Belissent (USPN 6789203) further in view of Vaidya (USPN 
6,279,113). 

As to claim 1 , Belissent teaches a machine implemented method of monitoring 
traffic flow in a monitor device disposed to receive network traffic packets comprises: 

producing statistics corresponding to a parameter of traffic flow to trace the 
source of an attack, (abstract; col 2, lines 55-65; the client's request rate is measured) 
with producing further comprising: 

accumulating statistics from the packets (abstract; col 2, lines 55-65; the client's 
request rate is measured) 

and comparing the number of buckets to a threshold (col 3, lines 6-36); 

and determining whether the number of buckets should be divided into more 
buckets or combined into fewer buckets based on comparing the number of buckets to 
the threshold (col 2, line 49 to col 3, line 36; the rate of connections is compared to 
thresholds and appropriate action is taken). 

However, Bellisent does not explicitly indicate mapping the traffic flow into a 
plurality of buckets by applying a hash function "f(h)" to the parameter of the traffic flow 
to output an integer corresponding to one of the buckets. 

Vaidya teaches mapping the traffic flow to a memory space by applying a hash 
function (col 3, lines 27-48; col 9, lines 3-20). It would have been obvious to one of 
ordinary skill in the art at the time of the invention to incorporate the teachings of Vaidya 
into those of Belissent in order to make the system more organized. The organization 
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of the system using a hash function is known in the art. A specific hash function is used 
because its backward computation is difficult as well as its tendency to be collision free. 

Claims 14, 21 , 63, and 70 are essentially the method, computer program product, 
and the data collector for the machine implemented method of claim 1 . 

As to claim 2, Belissent teaches the method of claim 1 wherein the buckets are 
storage areas in a memory space of the monitor device, (col 3, lines 6-36) 

As to claim 3, Bellisent teaches the method of claim 1 wherein as the number of 
buckets changes, the buckets have values derived from the buckets prior to the change, 
(col 2, line 49 to col 3, line 36) 

As to claim 4, Valdya teaches the method of claim 1 wherein the hash function 
adapts to map to the new number of buckets, as the new number of buckets changes, 
(col 9, lines 3-45) 

As to claim 5, Belissent teaches the method of claim 1 wherein comparing 
statistic values comprises: comparing the value accumulated in the bucket to a 
threshold that depends on the number of buckets, (col 2, line 49 to col 3, line 36) 

As to claim 6, Bellissent teaches the method of claim 1 wherein the parameter is 
the count of how many packets a data collector or gateway examines (col 5, lines 4-20) 

As to claim 7, Belissent teaches the method of claim 1 wherein as a value of a 
parameter for one bucket approaches a threshold, the monitoring device raises an 
alarm, (col 2, line 49 to col 3, line 36) 
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As to claim 8, Valdya teaches the method of claim 1 wherein the hash function 
changes periodically in a randomly secret manner so that packets are reassigned to 
different buckets (col 9, lines 3-45). 

As to claim 9, Belissent teaches the method of claim 1 wherein the variable 
number of buckets dynamically adjusts the amount of traffic and number of flows 
monitored, so that the monitoring device is not vulnerable to a denial of service attack 
against its own resources (col 2, line 49 to col 3, line 36). 

As to claim 10, Belissent teaches the method of claim 1 wherein the variable 
number of buckets efficiently identifies the source or sources of attack by breaking down 
traffic into different buckets and examining statistics accumulated for a parameter and a 
corresponding threshold in each bucket (col 4, lines 9-25). 

As to claim 1 1 , Belissent teaches the method of claim 1 wherein the traffic is 
monitored at multiple levels of granularity, from aggregate to individual flows (col 3, lines 
6-36). 

As to claim 12, Belissent teaches the method of claim 1 wherein the method is 
applied to monitoring of TCP packet ratios and repressor traffic, (col 5, lines 20-35) 

As to claim 13, Belissent teaches the method of claim 1 wherein the threshold is 
a first threshold and the method further comprises: comparing accumulated statistic 
values from the buckets to second threshold values to determine that an event is of 
significance, (col 5, lines 45-52) 
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Claims 15-20, 50-62, 64-69, and 71-77 are essentially, the data collector, 
computer program product and the method for the machine implemented method of the 
above-mentioned claims. 

Applicant's submission of an information disclosure statement under 37 CFR 
1.97(c) with the fee set forth in 37 CFR 1.1 7(p) on 7/25/05 prompted the new ground(s) 
of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE 
FINAL. See MPEP § 609.04(b). Applicant is reminded of the extension of time policy 
as set forth in 37 CFR 1 . 1 36(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within 
TWO MONTHS of the mailing date of this final action and the advisory action is not 
mailed until after the end of the THREE-MONTH shortened statutory period, then the 
shortened statutory period will expire on the date the advisory action is mailed, and any 
extension fee pursuant to 37 CFR 1 .136(a) will be calculated from the mailing date of 
the advisory action. In no event, however, will the statutory period for reply expire later 
than SIX MONTHS from the mailing date of this final action. 

Conclusion 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Asad M. Nawaz whose telephone number is (571 ) 272- 
3988. The examiner can normally be reached on M-F 8-4:30. 
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If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Saleh Najjar can be reached on (571 ) 272-4006. The fax phone number for 
the organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct;uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). 
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